Re: Nifi Registry LDAP

Tue, 10 Apr 2018 13:22:19 -0700 

Thanks; that certainly narrows it down. It could be that you’ve uncovered a bug 
with the LdapIdentityProvider when using START_TLS. I’ll try to recreate it and 
dig into it on my end. Thanks for sharing all this info.

 

Kevin

 

From: Scott Howell <scotthow...@mobilgov.com>
Reply-To: <users@nifi.apache.org>
Date: Tuesday, April 10, 2018 at 16:05
To: <users@nifi.apache.org>
Subject: Re: Nifi Registry LDAP

 

I was able to remove the TLS information in the identity-provider.xml and was 
able to use my remote LDAP to login. So I think I am narrowing down the issue.

 

 



On Apr 10, 2018, at 2:57 PM, Kevin Doran <kdo...@apache.org> wrote:

 

Thanks Scott,

 

I don’t see anything wrong with your configuration. I created a free jumpcloud 
account, so I’ll try to recreate this issue and get back to you if I have any 
other insights.

 

Kevin

 

From: Scott Howell <scotthow...@mobilgov.com>
Reply-To: <users@nifi.apache.org>
Date: Tuesday, April 10, 2018 at 15:54
To: <users@nifi.apache.org>
Subject: Re: Nifi Registry LDAP

 

I was able to switch back to my local LDAP server and was able to login 
successfully. The provider I am using in identity-providers.xml is as follows:

 

<provider>

        <identifier>ldap-identity-provider</identifier>

        
<class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class>

        <property name="Authentication Strategy">SIMPLE</property>

 

        <property name="Manager DN">cn=Manager,dc={redacted},dc=com</property>

        <property name="Manager Password">{redacted}</property>

 

 

        <property name="Referral Strategy">FOLLOW</property>

        <property name="Connect Timeout">10 secs</property>

        <property name="Read Timeout">10 secs</property>

 

        <property name="Url">ldap://{redacted}:389</property>

        <property name="User Search 
Base">ou=users,dc={redacted},dc=com</property>

        <property name="User Search Filter">uid={0}</property>

 

        <property name="Identity Strategy">USE_DN</property>

        <property name="Authentication Expiration">12 hours</property>

    </provider>

 

This is a super strange issue as to why nifi works with the remote LDAP and 
nifi-registry does not. 

 


On Apr 10, 2018, at 2:18 PM, Scott Howell <scotthow...@mobilgov.com> wrote:

 

Thanks Kevin for sending that back,

 

This is what I see when looking at the Headers on the login. 

<Screen Shot 2018-04-10 at 2.15.35 PM.png>

 

The version of Nifi-Registry I am running is 0.1.0. What confuses me is that 
this was working with my local LDAP fine. It just stopped working when I 
switched to setting up the identity-provider.xml with the same credentials as 
my nifi-cluster. 

 

 




On Apr 10, 2018, at 2:10 PM, Kevin Doran <kdo...@apache.org> wrote:

 

If everything is configured correctly, this error usually indicates that the 
server did not locate your login credentials when processing the login request. 
That usually means it will not even attempt to authenticate the credentials, so 
I'm not sure it is an LDAP configuration error.

 

If you want to check this manually using developer tools in a browser (e.g., 
Chrome or Firefox) you can look at the HTTP traffic to see if credentials are 
being passed to the server. NiFi Registry uses the HTTP Basic Auth protocol to 
login (credentials are encoded in the Authorization header and passed to the 
server from the login page to generate a temporary authentication token). 

 

So after clicking "Login", you should look for an HTTP POST to 
<base_url>/nifi-registry-api/access/token/login, which should have an 
"Authorization" header with the value "Basic {encoded-username-and-password}"

 

If the credentials are there, it is likely something is misconfigured on the 
server side with the identity provider so that login credentials are not even 
being looked for. If the credentials are not there... well I've never seen 
that. I would probably as if your NiFi Registry Server running behind a load 
balancer or proxy that could be interfering with HTTP headers?

 

What version of NiFi Registry are you using? 0.1.0 or a version built from 
source?

 

Hope this helps,

Kevin

 

 

On 4/10/18, 14:59, "Scott Howell" <scotthow...@mobilgov.com> wrote:

 

    Yes I did, I had Nifi-registry working with a local instances of LDAP 
running. It’s now not cooperating since I moved to using Jumpcloud. 

    

    > On Apr 10, 2018, at 1:56 PM, Kevin Doran <kdo...@apache.org> wrote:

    > 

    > Hi Scott,

    > 

    > Did you configure nifi-registry.properties with:

    > 

    > nifi.registry.security.identity.provider=ldap-identity-provider

    > 

    > On 4/10/18, 14:53, "Scott Howell" <scotthow...@mobilgov.com> wrote:

    > 

    >    Thanks for the all the help yesterday standing up LDAP for NIFI. I was 
able to troubleshoot and fix the issues myself. I am running into a unique 
issue with my Nifi-Registry when I try to login with my LDAP credentials like I 
do for the nifi cluster I get in my logs with this:

    > 

    >    2018-04-10 18:43:15,303 INFO [NiFi Registry Web Server-18] 
o.a.n.r.w.s.NiFiRegistrySecurityConfig AuthenticationEntryPoint invoked as no 
user identity credentials were found in the request.

    > 

    >    My identity-providers.xml is this:

    >    <identityProviders>

    >         <provider> 

    >                          <identifier>ldap-identity-provider</identifier>  
                                                                                
                                                                                
 <class>org.apache.nifi.registry.security.ldap.LdapIdentityProvider</class> 

    >                          <property name="Authentication 
Strategy">START_TLS</property>

    >                          <property name="Manager 
DN">uid=nifi,ou=Users,o={redacted},dc=jumpcloud,dc=com</property>

    >                          <property name="Manager 
Password">{redacted}</property> 

    >                          <property name="TLS - Keystore”>

    >                         </property>

    >                          <property name="TLS - Keystore 
Password"></property> 

    >                          <property name="TLS - Keystore Type"></property>

    >                          <property name="TLS - 
Truststore">/opt/certs/jumpcloud.jks</property> 

    >                          <property name="TLS - Truststore 
Password">{redacted}</property>                     

    >                         <property name="TLS - Truststore 
Type">JKS</property> 

    >                          <property name="TLS - Client Auth"></property> 

    >                          <property name="TLS - 
Protocol">TLSv1.2</property>

    >                          <property name="TLS - Shutdown 
Gracefully"></property>

    >                          <property name="Referral 
Strategy">FOLLOW</property> 

    >                          <property name="Connect Timeout">10 
secs</property> 

    >                          <property name="Read Timeout">10 secs</property> 

    >                          <property 
name="Url">ldap://ldap.jumpcloud.com:389</property> 

    >                          <property name="User Search 
Base">ou=Users,o={redacted},dc=jumpcloud,dc=com</property> 

    >                          <property name="User Search 
Filter">uid={0}</property> 

    >                          <property name="Identity 
Strategy">USE_USERNAME</property> 

    >                          <property name="Authentication Expiration">12 
hours</property> 

    >          </provider>

    >    </identityProviders>

    > 

    >    For the most part I grabbed most of this from my Nifi node 
login-identity-providers.xml but I seem to have something messed up.

    > 

    >

Reply via email to